CN111131169B - Switching network-oriented dynamic ID hiding method - Google Patents
Switching network-oriented dynamic ID hiding method Download PDFInfo
- Publication number
- CN111131169B CN111131169B CN201911208371.8A CN201911208371A CN111131169B CN 111131169 B CN111131169 B CN 111131169B CN 201911208371 A CN201911208371 A CN 201911208371A CN 111131169 B CN111131169 B CN 111131169B
- Authority
- CN
- China
- Prior art keywords
- internal
- external network
- hidden
- intranet
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0414—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
Abstract
The invention belongs to the technical field of switched network security, and discloses a switched network-oriented dynamic ID hiding method, which comprises the following steps: step 1: setting internal and external network attributes of a port of the switching equipment, and establishing a port internal and external network attribute table; and 2, step: constructing a hidden ID pool; and step 3: setting an internal and external network ID hidden table; and 4, step 4: the ID mapping algorithm is dynamically adjusted. Aiming at common type attack of specific ID, an attacker can not achieve the purpose of attacking the user by scanning the ID of the user, such as DDos attack and the like; aiming at APT attack of specific ID, the invention can dynamically transform the mapping relation of internal and external network ID, theoretically, as long as the dynamic ID transformation period is less than the cracking period of an attacker, the attack can be avoided; the method adopts software to construct a hidden ID pool, hardware to realize a hidden table, realizes dynamic ID conversion by randomly and dynamically scheduling the hidden ID pool, and can defend an attack means aiming at the user ID.
Description
Technical Field
The invention belongs to the technical field of switched network security, and particularly relates to a switched network-oriented dynamic ID hiding method.
Background
With the rapid development of the internet, network security is becoming a focus of attention, and especially in a switching network, ID information is one of the sensitive information that is most concerned by an attacker. An attacker can easily obtain ID information of a specific user by means of sniffing or the like. Once the attacker acquires the ID information of the data packet, further APT attacks (lisv, lischev, wang surpass. typical APT attack event case analysis [ J ] information network security (s 1)) may be performed, such as stealing information of a specific user by disguising means, or launching a DDoS attack (xumada. DDoS attack principle and coping strategy [ J ] information network security (5): 48-50.) against the specific user, thereby causing system paralysis of the target user. Therefore, in the switching network, how to transmit the ID securely becomes one of the research hotspots.
The current ID protection measures mainly include the following ways: 1. the ID protection is performed on the endpoint device, that is, the ID is directly protected on the source, for example, data transmission is performed by using an encryption protocol or the ID is encrypted separately, the method is simple and feasible, but each user accessing the switching network needs to deploy an ID protection measure, which increases the cost of the user; 2. in the switching network, the ID hiding function is completed by handing the data packet to the control management layer, for example, the data packet requiring ID hiding is sent to the processor, and the processor completes the operations such as ID conversion and the like and then sends the data packet to the forwarding device. Therefore, in order to eliminate such an influence, it is necessary to propose a protection technique that can be deployed in a switching network, does not affect forwarding performance, and can protect a specific user ID. The patent provides a dynamic ID hiding method facing a switching network from the ID protection requirement of the switching network.
Disclosure of Invention
The invention provides a switching network-oriented dynamic ID hiding method aiming at the problems of high cost and influence on the performance of forwarding equipment in the existing ID protection method of the switching network.
In order to achieve the purpose, the invention adopts the following technical scheme:
a switching network-oriented dynamic ID hiding method comprises the following steps:
step 1: setting internal and external network attributes of a port of the switching equipment, and establishing a port internal and external network attribute table to make ID of user data passing through an internal network attribute port, namely, internal network ID, be private ID, and make ID of user data passing through an external network attribute port, namely, external network ID, be public ID;
and 2, step: constructing a hidden ID pool;
and step 3: setting an internal and external network ID hidden table;
and 4, step 4: the ID mapping algorithm is dynamically adjusted.
Further, the step 2 comprises:
performing logical operation on the intranet ID and the random value, and performing hash operation mapping by taking the intranet ID as input to obtain an output as an extranet ID, wherein the mapping meets the requirements of A-type, B-type or C-type subnet division of the extranet;
and each intranet ID needs to map a plurality of extranet IDs, an internal ID group and an external ID group obtained by operation are stored to form a hidden ID pool, and for each intranet ID, an extranet ID corresponding to the intranet ID is randomly selected to form an internal and external ID pair for configuration of an internal and external ID hidden table.
Further, the step 3 comprises:
configuring an internal and external network ID hidden table according to the internal and external network mapping relation provided by the hidden ID pool, and associating the internal and external network ID hidden table with a routing forwarding table:
checking the internal and external network attributes of the port through the internal and external network attribute table of the port;
if the user data is the user data sent by the internal network to the external network, replacing the source ID of the data in the route forwarding table by the external network ID in the internal and external network ID hidden table, and then carrying out route forwarding search;
if the user data is the user data sent to the intranet by the extranet, firstly carrying out route searching, and then replacing the destination ID of the data in the route forwarding table by the intranet ID in the intranet ID hidden table;
and if the user data is forwarded between the internal networks or between the external networks, directly carrying out route forwarding search.
Further, the step 4 comprises:
and (4) carrying out periodic internal and external network ID mapping transformation according to the mapping method in the step (2).
Compared with the prior art, the invention has the following beneficial effects:
the invention relates to a switching network-oriented dynamic ID hiding method, which achieves ID protection of user data forwarded by switching equipment by setting internal and external network attributes of a port of the switching equipment, constructing a hidden ID pool, setting an internal and external network ID hiding table and periodically and dynamically adjusting ID mapping. Has the following advantages:
aiming at common type attack of specific ID, an attacker can not achieve the purpose of attacking the user by scanning the ID of the user, such as DDos attack and the like;
aiming at the APT attack of a specific ID, an attacker possibly obtains the ID of an external network of the specific user within a certain time and carries out subsequent attack aiming at the corresponding ID of the internal network, but the dynamic ID hiding method provided by the invention can dynamically transform the mapping relation of the ID of the internal network and the ID of the external network, and theoretically, the attack can be avoided as long as the dynamic ID transformation period is less than the cracking period of the attacker.
The method adopts software to construct a hidden ID pool, hardware to realize a hidden table, and realizes dynamic ID conversion by randomly and dynamically scheduling the hidden ID pool, and the method can defend an attack means aiming at the user ID.
Drawings
Fig. 1 is a basic flowchart of a switching network-oriented dynamic ID hiding method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a location of a dynamic ID hidden in a system according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
example 1:
as shown in fig. 1, a method for hiding a dynamic ID facing a switching network includes:
step S101: setting internal and external network attributes of a port of the switching equipment, and establishing a port internal and external network attribute table to make ID of user data passing through an internal network attribute port, namely, internal network ID, be private ID, and make ID of user data passing through an external network attribute port, namely, external network ID, be public ID;
according to application requirements, internal and external network attribute setting is carried out on the switch port, namely, the switch port is set as an internal network attribute (internal network) port or an external network attribute (external network) port. The ID of the user data passing through the intranet attribute port, namely the intranet ID, is a private ID and is internally visible, namely only an intranet user is visible; the ID of the user data passing through the attribute port of the external network, namely the ID of the external network, is a public ID and is externally visible, namely all external network users and attackers can see the user data.
Step S102: constructing a hidden ID pool;
specifically, the step S102 includes:
performing logical operation on the intranet ID and the random value, and performing hash operation mapping by taking the intranet ID as input to obtain an output as an extranet ID, wherein the mapping meets the requirements of A-type, B-type or C-type subnet division of the extranet;
and each intranet ID needs to map a plurality of extranet IDs, an internal ID group and an external ID group obtained by operation are stored to form a hidden ID pool, and for each intranet ID, an extranet ID corresponding to the intranet ID is randomly selected to form an internal and external ID pair for configuration of an internal and external ID hidden table.
Step S103: setting an internal and external network ID hidden table;
specifically, the step S103 includes:
configuring an internal and external network ID hidden table according to the internal and external network mapping relation provided by the hidden ID pool, and associating the internal and external network ID hidden table with a routing forwarding table:
checking the internal and external network attributes of the port through the internal and external network attribute table of the port;
if the user data is the user data sent by the internal network to the external network, replacing the source ID of the data in the routing forwarding table by the external network ID in the internal and external network ID hidden table, and then carrying out routing forwarding search;
if the user data is the user data sent to the intranet by the extranet, firstly carrying out route searching, and then replacing the destination ID of the data in the route forwarding table by the intranet ID in the intranet ID hidden table;
and if the user data is forwarded between the internal networks or between the external networks, directly carrying out route forwarding search.
Step S104: the ID mapping algorithm is dynamically adjusted.
Specifically, the step S104 includes:
and performing periodic internal and external network ID mapping transformation according to the mapping method in the step S102, and increasing the dynamic property of mapping so as to ensure the dynamic property of user ID hiding.
It should be noted that, in this embodiment, the ID may be an IP address or a MAC address, so the hidden ID pool may also be referred to as a hidden address pool.
As a specific implementation, as shown in fig. 2, the dynamic ID is hidden in a position in the switching network system, and the key modules include: a dynamic ID mapping algorithm, a hidden ID pool, a port internal and external network attribute table and an internal and external network ID hidden table. The dynamic ID mapping algorithm and the hidden ID pool are arranged in a system control management layer, and the port internal and external network attribute table and the internal and external network ID hidden table are arranged in the hardware (a switching chip) of the switching equipment. Among them, the two hidden tables (intranet and extranet ID hidden tables) shown in fig. 2 may be one or two physically.
In a system control management layer, a dynamic ID mapping algorithm for hiding dynamic IDs refers to: firstly, selecting a random number and an intranet ID to carry out logic operation; secondly, the operation result is used as input, a hash algorithm is used for mapping, the hash algorithm can select CRC-32, and the generating polynomial is as follows: x16+X15+X5+ 1; and finally, mapping each intranet ID for multiple times, storing the mapping relation into a hidden ID pool, randomly and dynamically selecting an intranet ID pair from the hidden pool, storing the mapping relation to be issued, and issuing an updated ID conversion mapping relation to switching equipment hardware (a switching chip).
And issuing configuration to the exchange chip according to a common configuration flow, and realizing dynamic change of an internal and external network ID hidden table in the chip by periodic calling so as to achieve dynamic ID hiding.
Dynamic ID hiding is implemented in the switching hardware (switching chip). Because the dynamic ID is hidden for a specific user, the specific user is set as an intranet user, an unprotected user is set as an extranet user, and for different scenes, the processing modes of data messages through the switching chip are different:
1. when an intranet user sends a data message to an extranet user, firstly, header analysis is carried out, intranet attributes of a data packet are determined through an port intranet attribute table and an extranet attribute table, a target port is inquired through routing forwarding, after the intranet attributes cannot be matched, an intranet ID hidden table and an extranet ID hidden table are inquired, the source ID is replaced by the inquired result, the source ID is modified and hidden, the target port is inquired through routing forwarding, and finally, packet forwarding is carried out;
2. when an external network user sends a data message to an internal network user, firstly, header analysis is carried out, external network attributes of a data packet are determined through an internal and external network attribute table of a port, then a routing forwarding table is carried out to query a target port, then an internal and external network ID hidden table is queried, a corresponding internal network ID is obtained, a query result replaces the target ID in the data packet, and finally, packet forwarding is carried out;
3. when communication is carried out between external network users, firstly, header analysis is carried out, external network attributes of a data packet are determined through an internal and external network attribute table of a port, a destination port is inquired by routing forwarding, and packet forwarding is carried out;
4. when an intranet user sends a data message to the intranet user, firstly, header analysis is carried out, the intranet attribute of the data packet is determined through the port intranet and intranet attribute table, the destination port is inquired through routing forwarding, matching can be carried out, the destination port is inquired through routing forwarding, and after the attribute of the intranet port is confirmed, packet forwarding is carried out.
The embodiment of the invention provides a switching network-oriented dynamic ID hiding method, which achieves ID protection of user data forwarded by switching equipment by setting internal and external network attributes of a port of the switching equipment, constructing a hidden ID pool, setting an internal and external network ID hiding table and periodically and dynamically adjusting ID mapping. Has the following advantages:
aiming at common type attack of specific ID, an attacker can not achieve the purpose of attacking the user by scanning the ID of the user, such as DDos attack and the like;
aiming at the APT attack of a specific ID, an attacker possibly obtains the ID of an external network of the specific user within a certain time and carries out subsequent attack aiming at the corresponding ID of the internal network, but the dynamic ID hiding method provided by the patent can dynamically transform the mapping relation of the ID of the internal network and the ID of the external network, and theoretically, the attack can be avoided as long as the dynamic ID transformation period is less than the cracking period of the attacker.
The method adopts software to construct a hidden ID pool in a control management layer of a switching network system, realizes a hidden table by hardware, and realizes dynamic ID conversion by randomly and dynamically scheduling the address of the hidden pool.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (1)
1. A switching network oriented dynamic ID hiding method is characterized by comprising the following steps:
step 1: setting internal and external network attributes of a port of the switching equipment, and establishing a port internal and external network attribute table to make ID of user data passing through an internal network attribute port, namely, internal network ID, be private ID, and make ID of user data passing through an external network attribute port, namely, external network ID, be public ID;
step 2: constructing a hidden ID pool; the step 2 comprises the following steps:
performing logical operation on the intranet ID and the random value, and performing hash operation mapping by taking the intranet ID as input to obtain an output as an extranet ID, wherein the mapping meets the requirements of A-type, B-type or C-type subnet division of the extranet;
each intranet ID needs to be mapped with a plurality of extranet IDs, an internal ID group and an external ID group obtained through operation are stored to form a hidden ID pool, and for each intranet ID, an extranet ID corresponding to the intranet ID is randomly selected to form an internal ID and external ID pair for configuration of an internal ID hidden table and an external ID hidden table;
and step 3: setting an internal and external network ID hidden table; the step 3 comprises the following steps:
configuring an internal and external network ID hidden table according to the internal and external network mapping relation provided by the hidden ID pool, and associating the internal and external network ID hidden table with a routing forwarding table:
checking the internal and external network attributes of the port through the internal and external network attribute table of the port;
if the user data is the user data sent by the internal network to the external network, replacing the source ID of the data in the route forwarding table by the external network ID in the internal and external network ID hidden table, and then carrying out route forwarding search;
if the user data is the user data sent to the intranet by the extranet, firstly carrying out route searching, and then replacing the destination ID of the data in the route forwarding table by the intranet ID in the intranet ID hidden table;
if the user data is forwarded between the internal networks or the external networks, the route forwarding search is directly carried out;
and 4, step 4: dynamically adjusting an ID mapping algorithm; the step 4 comprises the following steps: carrying out periodic internal and external network ID mapping transformation according to the mapping method in the step 2;
the port internal and external network attribute table and the internal and external network ID hidden table are in the hardware of the switching equipment;
the ID may be an IP address or a MAC address, so the hidden ID pool may also be referred to as a hidden address pool, when the ID is a MAC address, the process and the ID are substantially consistent when the ID is an IP address, but the corresponding forwarding table becomes a MAC forwarding table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911208371.8A CN111131169B (en) | 2019-11-30 | 2019-11-30 | Switching network-oriented dynamic ID hiding method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911208371.8A CN111131169B (en) | 2019-11-30 | 2019-11-30 | Switching network-oriented dynamic ID hiding method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111131169A CN111131169A (en) | 2020-05-08 |
| CN111131169B true CN111131169B (en) | 2022-05-06 |
Family
ID=70496845
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911208371.8A Active CN111131169B (en) | 2019-11-30 | 2019-11-30 | Switching network-oriented dynamic ID hiding method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131169B (en) |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7609689B1 (en) * | 2001-09-27 | 2009-10-27 | Cisco Technology, Inc. | System and method for mapping an index into an IPv6 address |
| US8464334B1 (en) * | 2007-04-18 | 2013-06-11 | Tara Chand Singhal | Systems and methods for computer network defense II |
| CN101447980B (en) * | 2008-12-25 | 2012-04-11 | 中国电子科技集团公司第五十四研究所 | Collision-resistance method for mapping public-private key pairs by utilizing uniform user identification |
| US8966626B2 (en) * | 2012-05-01 | 2015-02-24 | Harris Corporation | Router for communicating data in a dynamic computer network |
| US9154458B2 (en) * | 2012-05-01 | 2015-10-06 | Harris Corporation | Systems and methods for implementing moving target technology in legacy hardware |
| CN104580233B (en) * | 2015-01-16 | 2017-09-01 | 重庆邮电大学 | A kind of internet of things intelligent household security gateway system |
| KR101544460B1 (en) * | 2015-04-24 | 2015-08-13 | 국방과학연구소 | Method for hiding receivers address for link layer in group communication |
| CN105721442B (en) * | 2016-01-22 | 2019-03-22 | 北京卫达信息技术有限公司 | Based on dynamic mapping false response system, method and network safety system and method |
| CN105721457B (en) * | 2016-01-30 | 2019-04-30 | 北京卫达信息技术有限公司 | Network security protection system and network security defence method based on dynamic mapping |
| CN107071075B (en) * | 2016-11-16 | 2020-07-21 | 国家数字交换系统工程技术研究中心 | Device and method for dynamically jumping network address |
| CN107682470B (en) * | 2017-10-16 | 2021-04-27 | 杭州迪普科技股份有限公司 | Method and device for detecting public network IP availability in NAT address pool |
| CN110365496B (en) * | 2019-07-23 | 2021-03-19 | 泰州学院 | Network security defense system based on dynamic transformation |
-
2019
- 2019-11-30 CN CN201911208371.8A patent/CN111131169B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111131169A (en) | 2020-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10505961B2 (en) | Digitally signed network address | |
| US10084756B2 (en) | Anonymous communications in software-defined networks via route hopping and IP address randomization | |
| JP5291725B2 (en) | IP address delegation | |
| US8576845B2 (en) | Method and apparatus for avoiding unwanted data packets | |
| CN105991655B (en) | Method and apparatus for mitigating neighbor discovery-based denial of service attacks | |
| EP2145458A1 (en) | Method and apparatus for protecting the routing of data packets | |
| US20170111389A1 (en) | Method and system for protecting domain name system servers against distributed denial of service attacks | |
| CN106302525B (en) | Network space security defense method and system based on camouflage | |
| CN102546661A (en) | Method and system for preventing IPv6 (Internet Protocol Version 6) gateway neighbor from being cheated and attacked | |
| CN102546428A (en) | System and method for internet protocol version 6 (IPv6) message switching based on dynamic host configuration protocol for IPv6 (DHCPv6) interception | |
| CN105282161B (en) | Point-to-point anonymous communication method based on random stateless address allocation strategy in IPv6 network | |
| CN102546308B (en) | The method and system of neighbor uni-cast agency is realized based on duplicate address detection | |
| EP3442195B1 (en) | Reliable and secure parsing of packets | |
| CN116684869B (en) | IPv 6-based park wireless network trusted access method, system and medium | |
| CN111131169B (en) | Switching network-oriented dynamic ID hiding method | |
| CN108712391A (en) | A kind of method of reply name attack and time analysis attack under content center network | |
| Li et al. | SDN-Ti: a general solution based on SDN to attacker traceback and identification in IPv6 networks | |
| KR20200002599A (en) | Server apparatus, client apparatus and method for communicating based on network address mutation | |
| CN112203279B (en) | 5G network boundary network element address protection method and device based on discrete address change | |
| Li et al. | Design of Industrial Control System Secure Communication Using Moving Target Defense with Legacy Infrastructure. | |
| CN102546307A (en) | Method and system for realizing proxy ARP (Address Resolution Protocol) function based on DHCP (Dynamic Host Configuration Protocol) interception | |
| Liang et al. | A SDN-Based Hierarchical Authentication Mechanism for IPv6 Address | |
| Miao et al. | The design and implementation of a dynamic IP defense system accelerated by vector packet processing | |
| Liu et al. | Security Protection with Dynamic Assigned Address Mechanism in Industrial Control Systems | |
| CN102571816B (en) | A kind of method and system preventing neighbor learning attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |